Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Multiple Threat Actors Moving Quickly to Exploit PHP Flaw

Easily Exploited Vulnerability Becomes Major Target for Malware Campaigns, Botnets
Multiple Threat Actors Moving Quickly to Exploit PHP Flaw
Image: Shutterstock

Multiple threat actors began exploiting a critical vulnerability in PHP scripting language within a day of its public disclosure last month, according to security firm Akamai. Administrators are advised to patch immediately.

See Also: 2024 Report: Mapping Cyber Risks from the Outside

Within days of the disclosure, the Akamai Security Intelligence Response Team spotted several malware campaigns taking advantage of the PHP vulnerability, tracked as CVE-2024-4577. The speed of the campaigns reflects the ease of exploitation, researchers said.

The flaw affects PHP installations running in CGI mode, particularly on Windows systems that use Chinese and Japanese language locale identifiers.

To exploit PHP, attackers use php://input to embed code into the body of a request to inject malicious code. They typically use the PHP auto_prepend_file and allow_url_include options to ensure their code is executed first and can retrieve data from remote locations.

Akamai identified these active malware campaigns:

  • Gh0st RAT Malware: This open-source remote access tool, which has been in use for over 15 years, was observed targeting this PHP flaw within 24 hours of disclosure. A malicious payload captured in the wild showed the malware enumerates connected drives and peripherals and queries the registry. The malware communicated with a command-and-control server based in Germany.
  • RedTail Cryptominer: This campaign involved a shell script downloading a miner file using wget or curl. The script targeted directories with read, write and execute permissions, excluding certain directories such as /tmp and /proc. The payload, once downloaded and executed, was renamed .redtail. This script, likely a result of threat actors reusing generic scripts, was effective.
  • Muhstik Malware: This campaign downloads a version of Muhstik malware, targeting internet of things devices and Linux servers for cryptomining and DDoS purposes. The malware created several directories and communicated with a command-and-control domain previously associated with Muhstik campaigns.
  • XMRig Cryptominer: The fourth campaign exploited the vulnerability to execute a PowerShell command, downloading and executing a script to spin up XMRig from a remote mining pool. The malware then cleaned up the temporary files to obfuscate the activity.

Akamai researchers recommend organizations act quickly to assess vulnerabilities and apply patches immediately.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.